Security Procedure: Risk and Vulnerability Assessments

Summary

The procedure describes a framework for the assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic and paper data held by units of the University and outlines those items normally assessed in a University conducted Risk and Vulnerability Assessment.

Body

PRINT DISCLAIMER: Official version of this document is accessible in the online policy library at https://policyoffice.ku.edu/. Printed copies may not reflect the most recent updates.

DOCUMENT TYPE:

Procedure

PURPOSE:

The procedure describes a framework for the assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic and paper data held by units of the University and outlines those items normally assessed in a University conducted Risk and Vulnerability Assessment.

APPLIES TO:

This procedure applies to all units connected to the University network. The selection of units shall be prioritized by the Information Security Officer based on regulatory requirements, and identification of need due to business activities.

CAMPUS:

Edwards, Lawrence, Juniper Gardens, Parsons, Topeka, Yoder

PROCEDURES STATEMENT:

General Policy Provisions

The University utilizes a modified version of the OCTAVE methodology for assessing risks to information systems. The following items shall be assessed on a regular basis in all units covered by this policy for their technology environment.

1. Survey of administrative security measures

A. Security awareness training

B. Security Strategy

C. Security Management

D. Security Policies

E. Collaborative security management

F. Contingency planning/Disaster recovery

G. Physical security

H. Authentication and authorization

I. Incident management

J. General staff practices

K. Information management

2. Assessment of information management practice

3. Inventory of information systems

For HIPAA covered components, the above items will be augmented by an enhanced comprehensive risk assessment to include business practices.

CONSEQUENCES:

Units in violation of this policy are subject to the loss of network access privileges and potential disciplinary action for appropriate personnel.

CONTACT:

Office of the Chief Information Officer
1001 Sunnyside Avenue 
Lawrence, KS 66045
785-864-4999
kucio@ku.edu

APPROVED BY:

Chief Information Officer

APPROVED ON:

2005-04-01

EFFECTIVE ON:

2005-04-02

REVIEW CYCLE:

Annual (As Needed)

RELATED STATUTES, REGULATIONS, AND/OR POLICIES:

Information Technology Security Policy

CHANGE HISTORY:

03/25/2025: Migration to TeamDynamix from Drupal.
10/11/2024: Updated broken links.
01/26/2022: Updated the contact section.
02/24/2015: Updated to reflect current practice.

Details

Details

Article ID: 21378
Created
Thu 3/13/25 1:21 PM
Modified
Mon 3/31/25 1:03 PM

Related Articles

Related Articles (4)

Data Center and Server Room Policy
The purpose of the Data Center and Server Room Policy is to describe the minimum requirements for designing, installing, securing, monitoring, maintaining, protecting, and decommissioning a data center or server room at the University of Kansas.
Data Center and Server Room Standards
The purpose of the Data Center and Server Room Standards is to describe the minimum requirements for designing, installing, securing, monitoring, maintaining, protecting, and decommissioning a data center or server room at the University of Kansas.
Information Technology Security Policy
This Information Security Policy (“Policy”) defines the security requirements that everyone who works or studies at KU Lawrence campus and all reporting units is expected to be familiar with and consistently follow. These security measures are set forth to avoid problems that affect the Confidentiality, Integrity, and Availability of information and systems at the University.
Telecommunications Wiring Policy
To establish principles and provisions to guide the University in the construction and ongoing management of its telecommunications cabling infrastructure.